P URPOSES G OOGLE

In document DPIA on the use of Google G Suite (Enterprise) for Education (pagina 85-93)

4. P URPOSES OF THE PROCESSING

4.2 P URPOSES G OOGLE

As will be analysed in Section 5, Google considers itself to be a data processor for the processing of personal data in Customer Data from the Core Services, the Features, the Google Account (to the extent used in conjunction with a Core Service) and the Technical Support Services. Section 4.2.1 discusses the purposes described in the G Suite DPA, the data processing agreement between the universities and Google and purposes identified by Privacy Company on the basis of the G Suite DPA, other Google documentation, responses from Google and technical findings of this DPIA.

Google considers itself to be an independent data controller for the processing of personal data actively provided by end-users in (a) the Additional Services, (b) the Google Account (to the extent not used in conjunction with a Core Service) and (c) Feedback and possible Other related services.

Google also considers itself to be an independent data controller for the processing of all Diagnostic Data, including about the use of the Core Services and about the use of the Technical Support Services.

At the time of completion of this DPIA, Google only described the purposes of its processing of personal data as a data controller in its (consumer) Privacy Policy. 190 These purposes are discussed in Sections 4.2.2.

4.2.1 Purposes personal data in Core Services, Features and the Google Account when used in conjunction with the Core Services

In the G Suite for Education Privacy Notice, Google writes: “User personal information collected in the Core Services is used only to provide the Core Services.”191

The G Suite DPA applies to both G Suite for Education and G Suite Enterprise for Education. The G Suite DPA contains the following descriptions of the purposes for which personal data in Customer Data from the Core Services are processed:

“Google will process Customer Personal Data for the purposes of providing the Services and TSS to Customer in accordance with the Data Processing Amendment.”192

“Customer instructs Google to process Customer Personal Data only in accordance with applicable law:

to provide the Services and TSS)

as further specified via Customer’s and End-users’ use of the Services (including the Admin Console and other functionality of the Services) and TSS;

as documented in the form of the applicable Agreement, including this Data Processing Amendment; and

190 After completion of this DPIA, on 12 November 2020 Google published a Google Cloud Privacy Notice with a list of purposes for the s0-called Service Data, URL: https://cloud.google.com/terms/cloud-privacy-notice .

191 Google G Suite for Education Privacy Notice, URL:

https://gsuite.google.com/terms/education_privacy.html After completion of this DPIA, at the end of February 2021, Google has renamed this notice into Google Workplace for Education Privacy Notice.

192 Appendix 1 G Suite DPA, version 2.2. After completion of this DPIA, Google published version 2.3. A textual comparison shows that there are no meaningful differences, except for the renaming of G Suite in Google Workspace and the removal of references to the EU US Privacy Shield. A copy of version 2.2. of the DPA can be found in the Wayback Machine of the Internet Archive, URL:

https://web.archive.org/web/20200618185551/https://gsuite.google.com/terms/dpa_terms.html.

Version 2.3 of the DPA is available at the URL: https://workspace.google.com/terms/dpa_terms.html

as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of this Data Processing Amendment.”193

“For clarity, Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services.”194

In the context of this DPIA, Privacy Company asked Google to specify what ‘providing the Services and TSS’ constitutes. Google did not provide any further description other than: “according to the documented instructions of our customer as a data controller, which are set out in the section of the DPA entitled “Customer’s Instructions”.

Google added: “In the same section, Google commits to not process Customer Personal Data other than as instructed.”195

Google mentions in the G Suite DPA that it secures the Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including by encrypting personal data and by helping to restore timely access to personal data following an incident.196

In Appendix 2 to the G Suite DPA, Google describes the applicable security measures. This description includes a number of scenarios where Google may process Customer Data (including personal data) specifically for the purpose of security.

“Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google’s intrusion detection involves:

1. tightly controlling the size and make-up of Google’s attack surface through preventative measures;

2. employing intelligent detection controls at data entry points; and

3. employing technologies that automatically remedy certain dangerous situations.

Incident Response. Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.

Encryption Technologies. Google makes HTTPS encryption (also referred to as SSL or TLS connection) available. Google servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

(…)

Infrastructure Security Personnel. Google has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Google’s infrastructure security personnel are responsible for the ongoing monitoring of Google’s security infrastructure, the review of the Services, and responding to security incidents.

(...)

193 Clause 5.2.1 G Suite DPA.

194 Clause 5.2.2 G Suite DPA.

195 Google reply to part A of the DPIA.

196 G Suite (Enterprise) for Education DPA, Appendix 1: Google’s provision of the Services and TSS to Customer. “Google will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). The Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Google may update the Security Measures from time to time provided that such updates do not result in the degradation of the overall security of the Services.”

(b) Decommissioned Disks and Disk Erase Policy.

Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Google’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed.”

With respect to Intrusion Detection and Incident Response, like any other service provider Google keeps logs in Google’s own monitoring files (SIEM). Such logs may include personal data in Customer Data.

According to Google, these security purposes are not (sub)purposes, because “they are processing activities carried out to fulfil the instruction to provide G Suite services subject to the contractual security safeguards specified in Appendix 2 of the DPA.”197

Second, the G Suite DPA states that Google performs regular testing of effectiveness of security measures.198 In the absence of further information, it cannot be excluded that these tests involve the processing of personal data in Customer Data. Testing must be regarded as a separate purpose, as the testing of measures is distinctively different from applying the measures. In reply to this DPIA Google explained that Customer Personal Data are not used to test security measures.

Third, in the G Suite DPA and TSS guidelines Google describes the processing of Customer Personal Data for Technical Support services. As described in Section 1.4.4, Google explained: “Google remains a data processor in respect of Customer Personal Data accessed by Support agents in order to provide support.”

Another purpose referred to in the G Suite DPA, is processing to comply with obligations under applicable law.199 This type of disclosure will be discussed in more detail in Section 5.3.7 of this report.

Google documentation and responses

In a G Suite security whitepaper, Google explains: “Google indexes customer data to provide beneficial services, such as spam filtering, virus detection, spellchecker and the ability to search for emails and files within an individual account.”200 In response to questions from Privacy Company, Google confirmed that it processes personal data in Customer Data to detect, prevent or address spam, malware and illegal activity.201

According to Google, the processing of personal data for security purposes and the detection of spam, malware and illegal activity is compatible with the main purpose of providing the service.

Google writes:

197 Google reply to part A of the DPIA.

198 Clause 7.1.1 G Suite DPA.

199 Clause 5.2.2 G Suite DPA.

200 Google Cloud Security and Compliance, Data Usage, No advertising in G Suite, URL:

https://gsuite.google.com/learn-more/security/security-whitepaper/page-6.html#our-philosophy.

201 From responses provided by representatives of Google to SLM Microsoft Rijk during the course of the DPIA.

“The processing of Customer Personal Data to provide secure G Suite services is compatible with the customer’s instructions (as documented in the G Suite DPA and as required by the GDPR), and should not be seen as a distinct purpose of processing Google permits for itself.”202

With regard to the detection of illegal activity, Google refers to an online form that administrators can use to report abuse incidents.203 Google also explains it may also identify known abuse content itself. “For example, Google will block the sharing of viruses and malware within Google Drive based on industry standard scanning practices which rely on recognition of suspect ‘signatures’ and characteristics.”204

On its public help page about uploading files to Google Drive, Google writes: “Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, end-users cannot convert the infected file to a Google Doc, Sheet, or Slide, and they'll receive a warning if they attempt these operations. (…) All Google Drive files, including uploaded or converted files, follow the same program policy. Learn more.”205

The hyperlinked words Learn More link to a page with 13 different program policies applicable to consumer services. For G Suite (Enterprise) for Education, the only relevant policy is the G Suite Acceptable Use Policy.206 This policy lists customer compliance obligations, but does not mention pro-active analysis by Google.

The technical findings of this DPIA show that Google also uses Customer Data from the Core Services to improve its products and services. As described in Section 1.4, Google uses Customer Data from Core Services to improve the Feature Spelling and Grammar through machine learning.207

After questions from Privacy Company, Google provided further details about the purposes of the processing. Google requested that this information remain confidential.

In sum, Google processes personal data from the Core Services for the following purposes:

1. Transmitting (technically delivering) the Core Services;

2. Providing Technical Support Services;

3. Securing the services;

4. Proactively scanning, detecting and addressing viruses, malware and spam;

5. Improving the services, such as by using machine learning to improve the Feature Spelling and Grammar208

6. To comply with obligations under applicable law.

202 Google reply to part A of this DPIA.

203 Google, Reporting Abuse Incidents, URL: https://support.google.com/a/answer/134413?hl=en

204 From responses provided by representatives of Google to SLM Microsoft Rijk during the course of the DPIA.

205 Google, upload files to Google Drive, bottom of the page under ‘Security’, URL:

https://support.google.com/a/answer/172541?hl=en

206 G Suite Acceptable Use Policy, URL: https://gsuite.google.com/intl/en/terms/use_policy.html

207 Google, Correct your spelling & grammar in Google Docs, URL:

https://support.google.com/docs/answer/57859? After completion of this report, Google provided guarantees it will not use any spelling and grammar data to improve the spelling services outside of the domain of each Enterprise customer.

208 In reply to this DPIA, Google explained that Customer Data are only used for machine learning to improve spelling and grammar suggestions within that customer’s domain.

4.2.2 Purposes Diagnostic Data and Account Data from the Core Online Services

As further explained in Sections 1.5 and 5.3 of this report, Diagnostic Data are not included in the scope of the G Suite DPA. Google has not published any documentation about the purposes for which it processes Diagnostic Data from the Core Services.

In reply to part A of this DPIA, Google provided 8 purposes.

1. “Providing the services;

2. Providing technical support

3. Improving the services, based on aggregate usage information;

4. Keeping the service up-to-date (providing automatic product updates;

5. Providing secure services

6. Communicating with our customers and their admins [Contact Data];

7. Managing G Suite accounts (including billing and financial records);

8. Complying with applicable law.”209

The purpose of ‘improving the services’ is also explicitly mentioned by Google in relation to the collection of telemetry data from Android devices: “The data is analyzed and used to improve products, hardware, and services.”210

After questions from Privacy Company, Google provided further details about these purposes of the processing. Google requested that this information remain confidential.

Based on public documentation quoted above, Google also processes the Diagnostic Data for the following purpose:

9. Proactively scanning, detecting and addressing viruses, malware and spam

As outlined in Section 2.3, Google sets a DoubleClick cookie if a non-authenticated end-user visits a log-in page for the G Suite Core Services: to determine if an end-user is eligible for personalised ads, or if the end-user is a child.

This purpose of the processing of the cookie Diagnostic Data is not mentioned in Google’s public documentation about DoubleClick cookies. Google writes: “We also use one or more cookies for advertising we serve across the web. One of the main advertising cookies on non-Google sites is named

‘IDE‘ and is stored in browsers under the domain doubleclick.net. Another is stored in google.com and is called ANID. We use other cookies with names such as DSID, FLC, AID, TAID, and exchange_uid. Other Google properties, like YouTube, may also use these cookies to show you more relevant ads.“211

It follows from this public information that Google processes the Diagnostic Data for a tenth purpose:

10. Determining the account status and ads personalization preferences [cookies];

When administrators submit troubleshooting data to Google’s support department, they are warned that they should remove sensitive information, because Google can process these data as a data controller, for the purposes of its (consumer) Privacy Policy.

209 Google reply to part A of the DPIA.

210 See Section 2.3.1 of this report.

211 Google, Types of cookies used by Google, URL: https://policies.google.com/technologies/types?hl=en-US

Figure 31: Screenshot provided by Google

This reference from Google to its (consumer) Privacy Policy means it qualifies itself as a data controller, and not as a data processor. It is not clear why Google does not act as a data processor for the purpose of addressing support issues.

[CONFIDENTIAL]

Google considers all information about the purposes of processing Diagnostic Data provided during the course of this DPIA confidential. Google has committed to create “an Enterprise Privacy Notice that will provide clarification of the purposes for which we process personal information that Google collects or generates that is not Customer Data.” At the time of completion of this DPIA, no timeline was provided. On 12 November 2020, Google published a Google Cloud Privacy Notice with a list of purposes. 212

Table 10: Purposes Customer Data and Diagnostic Data Core Services

Customer Personal Data Other personal data (Diagnostic Data) Transmitting / providing the service

Providing Technical Support Services Complying with applicable law

Providing secure services

Proactively scanning, detecting and addressing viruses, malware, spam and illegal activity Improving the services, such as using machine

learning to improve the Feature Spelling and Grammar

Improving the services, based on aggregate usage information

Communicating with customers and admins [Account]

Managing G Suite accounts (including billing and financial records)

Keeping the service up-to-date

Determining the account status and ads personalisation preferences [Cookie Data]

The UG provided an example of a Google newsletter that was sent to an employee without having subscribed to the newsletter. This may be an example of the purpose ‘Communicating with our customers and their admins’.

212 Google, Google Cloud Privacy Notice, 7 December 2020, URL: https://cloud.google.com/terms/cloud-privacy-notice

Figure 32: Newsletter sent to G Suite user at UG

In reply to this DPIA, Google stated “Google Workspace does not send unsolicited marketing mail to Google Workspace for Education Admins. Admins can opt in or out of different marketing mail and those selections are respected. For further information see: https://inthecloud.withgoogle.com/edu-preferences/EDU-Preferences-Center.html.”213 In this Admin help page, Google explains there are 5 relevant marketing settings: four that affect communication with the primary admin, and a fifth setting that controls if end-users receive ‘educational mails’.

Figure 33: Google help page about marketing settings

In reply, the RUG has look-up its mail and marketing settings. They are shown in Figure 34 below. Nor the RUG nor Privacy Company have been able to find that fifth setting (called Product education and updates for users), not in the G Suite for Education edition, and not in the G Suite for Enterprise edition.

213 Google last-minute reply to high risks in Education DPIA, 23 February 2021.

Figure 34: RUG marketing settings 25 February 2021

4.2.3 Possible additional purposes for Customer Data and Diagnostic Data

Google does not provide a limitative list of purposes for the processing of the Customer Data, the Diagnostic Data, Account Data and other data about the use of the G Suite Core Services such as cookie and website data.

Therefore this DPIA examines the more detailed description of purposes provided in Google’s (consumer) Privacy Policy. Since there is only one Google Account, and data from the Core Services are linked to Additional Services in the same back-end infrastructure, some of the purposes mentioned in the (consumer) Privacy Policy could very well apply to the Diagnostic Data collected through the use of the Core Services, because Google does not explicitly and publicly exclude such purposes. Different from the personal data in Customer Data, Google does not exclude the use of Diagnostic Data for advertising purposes in the G Suite DPA or other relevant contractual documents.

[CONFIDENTIAL]

Possible purposes for the processing of personal data in Customer Personal Data and the Diagnostic Data that are not contractually excluded, are listed below. The key difference is that Google does exclude the use of advertising purposes for the personal data in Customer Data, but not for Diagnostic Data. That is why advertising purposes are quoted between brackets, to indicate they only apply to the Diagnostic Data.

1. Help end-users share content by suggesting recipients from their contacts;

1. Help end-users share content by suggesting recipients from their contacts;

In document DPIA on the use of Google G Suite (Enterprise) for Education (pagina 85-93)